Displaying 20 results from an estimated 72 matches for "oif".
Did you mean:
if
2005 Apr 29
1
problem with nth patch, counter parameter...I think
...e would be effecting the other, but it does.
Here is my iptables -t mangle -L on tunnel server 2, before adding,
and after adding.
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
ROUTE all -- anywhere (Network C) every 2th packet
#0 ROUTE oif:AMC_TUN1 gw:172.16.0.38
ROUTE all -- anywhere (Network C) every 2th packet
#1 ROUTE oif:AMC_TUN2 gw:172.16.0.42
ROUTE all -- anywhere (Network D) every 2th packet
#0 ROUTE oif:TB_TUN1 gw:172.16.0.26
ROUTE all -- anywhere (Network D) every...
2006 Dec 16
1
ipfw: did i forget anything?
...e-mail and pretty much deny everything else. If someone
would have the time to have a quick look at this to see if there's
anything wrong with it i would really appreciate it!
Bye,
jurjen.
ps. here is my ruleset:
#!/bin/sh
ipfw -q flush
cmd="ipfw -q add"
ks="keep-state"
oif="ath0"
#setup the loopback
$cmd 001 allow all from any to any via lo0
$cmd 002 deny all from any to 127.0.0.0/8
$cmd 003 deny ip from 127.0.0.0/8 to any
#check state of incoming packets
$cmd 010 check-state
####
# Outgoing
#allow outgoing connections to internetsites, ssh sites
#...
2018 Jan 30
5
[Bug 1220] New: Reverse path filtering using "fib" needs better documentation
...at netfilter.org
Reporter: f30 at f30.me
Reverse path filtering means dropping a packet if connections to its source IP
wouldn't use the same interface the packet arrived on. The nftables wiki states
[1] that this can be implemented like:
nft add rule x prerouting fib saddr . iif oif eq 0 drop
Slides by Florian Westphal [2] suggest to use:
nft add rule ... fib saddr . oif oif = 0 drop
But this fails with "Invalid argument" even when replacing "=" by "==" or "eq".
`fib saddr . iif oif eq 0` achieves the desired goal (except for bugs...
2005 Jan 26
0
Controlling Outbound traffic...alternative to dsl_qos_queue
...sl_qos_queue adds a QUEUE Target to the
POSTROUTING chain for reading the MARKed packets , and i recently added a
-j ROUTE target for my load balancing configuration to this chain:
/sbin/iptables -A POSTROUTING -o ppp+ -t mangle -m owner --cmd-owner
pure-ftpd -m nth --every 9 --packet 0 -j ROUTE --oif ppp1
/sbin/iptables -A POSTROUTING -o ppp+ -t mangle -m owner --cmd-owner
pure-ftpd -m nth --every 9 --packet 1 -j ROUTE --oif ppp1
/sbin/iptables -A POSTROUTING -o ppp+ -t mangle -m owner --cmd-owner
pure-ftpd -m nth --every 9 --packet 2 -j ROUTE --oif ppp1
/sbin/iptables -A POSTROUTING -o ppp+ -t...
2004 Feb 19
2
traffic normalizer for ipfw?
Hi there,
Is there some way to configure ipfw to do traffic
normalizing ("scrubbing", as in ipf for OpenBSD)? Is
there any tool to do it for FreeBSD firewalling?
I've heard that ipf was ported on current, anything
else?
TIA,
/Dorin.
__________________________________
Do you Yahoo!?
Yahoo! Mail SpamGuard - Read only the mail you want.
http://antispam.yahoo.com/tools
2014 Jan 09
3
[Bug 884] New: the rule of TEE target with '--oif' option cannot be deleted.
https://bugzilla.netfilter.org/show_bug.cgi?id=884
Summary: the rule of TEE target with '--oif' option cannot be
deleted.
Product: iptables
Version: 1.4.x
Platform: i386
OS/Version: Fedora
Status: NEW
Severity: minor
Priority: P5
Component: iptables
AssignedTo: netfilter-buglog at...
2005 Aug 21
1
Security warning with sshd
In my recent security email, I got the following errors:
cantona.dnswatchdog.com login failures:
Aug 20 02:37:19 cantona sshd[9444]: fatal: Write failed: Operation not permitted
Aug 20 04:30:42 cantona sshd[16142]: fatal: Write failed: Operation
not permitted
Aug 20 21:21:51 cantona sshd[45716]: fatal: Write failed: Operation
not permitted
So three questions: What is it? Should I be worried?
2003 Dec 23
2
address specified as 1.2.3.4/24{128,35-55,89} Is this Correct ????
The man page gives this example, however, when I attempt to use it, it seems
to block the whole set?
Could someone tell me what's going wrong here please. Thanks heaps..
This works,
${fwcmd} add deny log all from any to 203.1.96.1 in via ${oif}
This blocks the whole IP block, not just the list?
${fwcmd} add deny log all from any to 203.1.96.0/24{2,6-25,27-154,156-19 9,204-254} in via ${oif}
the man page bit...
list: {num | num-num}[,list]
Matches all addresses with base address addr (specified as a
dot-...
2018 Jan 30
7
[Bug 1221] New: "fib" produces strange results with an IPv6 default route
...OS: Debian GNU/Linux
Status: NEW
Severity: major
Priority: P5
Component: kernel
Assignee: pablo at netfilter.org
Reporter: f30 at f30.me
I am trying to implement reverse path filtering using "fib" rules like `fib
saddr . iif oif 0 drop`.
I don't understand why exactly (see #1220), but this generally works for IPv4
and IPv6 without a default route. However, "fib" starts to behave strangely
with a v6 default route.
Assume a host with two interfaces, enp0s5 and enp0s6, and the following IP
addresses:
> ip...
2008 Apr 21
2
graphics history
...e history by code. Any ideas?
Thanks and best regards,
Norbert
--
**********************************************************
Mag. Norbert Neuwirth
?sterreichisches Institut f?r Familienforschung (?IF) - Universit?t Wien
Austrian Institute for Family Studies - University of Vienna
http://www.oif.ac.at
e-mail: norbert.neuwirth at oif.ac.at
tel: +43-1-4277-489-11
fax: +43-1-4277-9-489
address: A-1010 Wien, Grillparzerstra?e 7/9
2005 Feb 02
2
Packet Level Load Balance inbound/outbound success with nth and route
...ip addr add 172.16.0.2/30 dev client_tun1
ip addr add 172.16.0.6/30 dev client_tun2
traffic outbound from the client doesnt need to go out the tunnel, but
it does need to be split
--client--
iptables -A POSTROUTING --source 66.81.23.0/24 -t mangle -m nth
--counter 0 --every 2 --packet 0 -j ROUTE --oif eth1 --gw 64.20.12.45
iptables -A POSTROUTING --source 66.81.23.0/24 -t mangle -m nth
--counter 0 --every 2 --packet 1 -j ROUTE --oif eth2 --gw 64.20.12.49
traffic inbound to the client will go to the server, and come to
client through the tunnel
--server--
iptables -A POSTROUTING --destination 66...
2024 Jul 16
4
[Bug 1761] New: nft_fib checks only the main route table when iif is a slave of a master vrf interface
...s: NEW
Severity: normal
Priority: P5
Component: kernel
Assignee: pablo at netfilter.org
Reporter: tsv1991 at gmail.com
Root case:
I want to do the NOTRACK in the PREROUTING chain for traffic that has a "daddr"
route pointing to a specific oif.
What I do:
"nft add rule inet notracks PREROUTING fib daddr oif br999 counter notrack"
The issue:
nftables always checks only main routing table, though the iif for traffic is
slave for master vrf interface also oif always will be slave for master vrf
interface.
Details:
We have VR...
2016 Mar 08
4
[Bug 1057] New: Allow for multiple protocols to be specified in a rule
...: enhancement
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: karol at babioch.de
Since DNS is allowed over both UDP as well as TCP, I have to specify two rules
each time I want to allow DNS traffic. This looks something like this:
oif eth0 udp dport domain accept
oif eth0 tcp dport domain accept
In an example found online [1] someone showed the following example:
{udp, tcp} sport domain ip daddr 127.0.0.1 accept
Apparently this was never tested. At least it doesn't work for me. For the
example above it would look...
2004 Feb 14
2
Localhost traffic and ipfw rules
...0.1 (Ack+Reset zero data) with source MAC of my default gateway and I can't seem to block this traffic.
Snort picked up the traffic and I have confirmed with tcpdump. So I decided I needed to examine my anti-spoof rules. I already had this one
deny ip from any to 127.0.0.0/8 in recv ${oif}
This never triggered on this traffic so I figured it must be looking for a SYN before it would trigger. So I added the following:
deny tcp from 127.0.0.1 to ${oif} tcpflags ack,rst
This still didn't block the traffic. So, I added the following:
deny ip from 127.0.0.0/8 to ${o...
2020 Jan 15
4
[Bug 1397] New: What am I doing wrong!?
...Severity: normal
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: tad1073 at gmail.com
code snippet
table inet nat {
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
fib saddr . iif oif 0 counter drop
fib saddr . iif oif "lo" counter accept
fib saddr . iif oif "$inet_if" counter accept
fib daddr . iif type { local, broadcast, multicast } counter accept
ip daddr 10.0.0.11 tcp dport 80 dnat to 8080
ip daddr 10.0.0.11 udp dp...
2003 Jun 02
6
4.8-Stable DummyNet
Hi. We just opened a gaming center and have chosen to run a FreeBsd box for
our firewall. IPFW is configured at it's very basic running natd through rl0
and allowing any to any connections from the lan to the outer world. Natd
controls access to the lan.
We have a 6.0 mb/s ADSL net connection for all the gaming clients to use,
however if a gamer starts downloading a file, that file
2023 Apr 14
5
[Bug 1673] New: bug egress hook virtio interface with VLAN
...5 y......!36:;w9..
0x0130: c03d 17ff ff00 0064 0004 c75b 2dfc 6e1b .=.....d...[-.n.
0x0140: 42ba 8108 c849 f941 dfcb 5000 9101 01ff B....I.A..P.....
0x0150: 0000 0000 0000 0000 ........
nft monitor :
trace id 195bb0a6 netdev filter egress packet: oif "enp6s19.100" @nh,0,320
0xe5050000401194a000000000ffffffff00440043013486f501010600f97b4c020000000000000000
trace id 195bb0a6 netdev filter egress rule meta nftrace set 1 (verdict
continue)
trace id 195bb0a6 netdev filter egress rule log group 30 (verdict continue)
trace id 195bb0a6 netdev...
2023 Apr 14
3
[Bug 1672] New: bug egress hook virtio interface with VLAN
...5 y......!36:;w9..
0x0130: c03d 17ff ff00 0064 0004 c75b 2dfc 6e1b .=.....d...[-.n.
0x0140: 42ba 8108 c849 f941 dfcb 5000 9101 01ff B....I.A..P.....
0x0150: 0000 0000 0000 0000 ........
nft monitor :
trace id 195bb0a6 netdev filter egress packet: oif "enp6s19.100" @nh,0,320
0xe5050000401194a000000000ffffffff00440043013486f501010600f97b4c020000000000000000
trace id 195bb0a6 netdev filter egress rule meta nftrace set 1 (verdict
continue)
trace id 195bb0a6 netdev filter egress rule log group 30 (verdict continue)
trace id 195bb0a6 netdev...
2005 Aug 10
0
network traffic can''t be seen by iptables when no bridge presents
In my project, I tried to use iptables, instead of bridge, to direct
networking traffics from one VM to another in one host. What I am doing is
I delete xen-br0, and I have two VMs that have IP addresses of 10.8.0.51
and 10.8.0.52. I use
iptables -t mangle -A FORWARD -d 10.8.0.51 -j ROUTE --oif vif1.0
iptables -t mangle -A FORWARD -d 10.8.0.52 -j ROUTE --oif vif2.0
vif1.0 and vif2.0 are the virtual network interfaces of two VMs. In order
to debug the above rules, I log all the traffics:
iptables -t mangle -A PREROUTING -j LOG --log-level debug --log-prefix
"log-everything"
I...
2003 Dec 23
0
No subject
The man page gives this example, however, when I attempt to use it, it ssems
to block the whole set?
Could someone tell me what's going wrong here please. Thanks heaps..
This works,
${fwcmd} add deny log all from any to 203.1.96.1 in via ${oif}
This blocks the whole IP block, not just the list?
${fwcmd} add deny log all from any to 203.1.96.0/24{2,6-25,27-154,156-19 9,204-254} in via ${oif}
the man page bit...
list: {num | num-num}[,list]
Matches all addresses with base address addr (specified as a
dot-...